Protecting a system against a worm requires a combination of basic system
security and good network security. There are a variety of procedures and tools
which can be applied to protect the system.

In basic system security, the most important means of defense against worms is
the identification &authentication (I&A) controls, which are usually
integrated into the system. If poorly managed, these controls become a
vulnerability which is easily exploited. Worms are especially adept at
exploiting such vulnerabilities; both the Internet and DECnet worms targeted
I&Acontrols.

Add-on tools include configuration review tools (such as COPS [GS91] for UNIX systems)
and checksum-based change detection tools. Design of configuration review tools
requires intimate knowledge of the system, but no knowledge of the worm code.

Another class of add-on tools is the intrusion detection tool. This is somewhat
analogous to the PC monitoring software, but is usually more complex. This
tool reviews series of commands to determine if the user is doing something
suspicious. If so, the system manager is notified.

One type of network security tool is the wrapper program. Wrapper programs can
be used to ``filter'' network connections, rejecting or allowing certain types
of connections (or connections from a pre-determined set of systems). This can
prevent worm infections by ``untrusted'' systems. Overlaps in trust may still
allow infection to occur (A trusts B but not C; B trusts C; C infects B which
infects A) but the rate of propagation will be limited.

These tools do not protect a system against the exploitation of flaws in the
operating system. This issue must be dealt with at the time of procurement.
After procurement, it becomes a procedural issue. Resources
are available to system managers to keep them abreast of security bugs and bug
fixes, such as the CERT computer security advisories.

Another class of security tools can be employed to protect a network
against worms. The firewall system[GS91] protects an organizational network
from systems in the larger network world. Firewall systems are found in two
forms: simple or intelligent. An intelligent firewall filters all connections
between hosts on the organizational network and the world-at-large. A simple
firewall disallows all connections with the outside world, essentially splitting
the network into two different networks. To transfer information between hosts
on the different networks, an account on the firewall system is required.